How can organizations improve their crisis management?

What do we mean when we talk about a crisis?

A crisis is a low-frequency, high-impact event that creates strategic-level challenges for an organization and as a result requires a strategic-level response. It’s important to stress that a crisis is rare and unique. We often think of a crisis in terms of a big, visible event such as a cyber attack or civil emergency, but a crisis can be triggered by less obvious events. This could include an event that is purely reputational – such as a breach of ethics – or by a failure in an organization’s structures or processes, which stops it from functioning effectively.

At its extreme, a crisis can result in the end of a company – Pan Am, for example, filed for bankruptcy two years after the Lockerbie disaster but it was in severe financial distress for at least a decade before the crash. Lockerbie was the crisis that tipped the company over the edge.

What has caused confusion in the past is that many people use the word ‘crisis’ when they mean something else – which may well be an emergency, but which does not require a strategic-level response. This can create misplaced confidence in an organization’s abilities to deal with a genuine crisis when it strikes.

Why is crisis management important?

It’s essential that every organization has a plan to protect itself in the event of a crisis. Research shows that after a crisis, an organization’s share value typically falls sharply and then, once the crisis management process kicks in, the share price tends to stabilize and then recover, depending on how well the organization is perceived by the markets to be handling the crisis. But if an organization does nothing, the share price will continue to plummet. In other words, crisis management has a financial value.

How does crisis management differ from business continuity?

An organization cannot be truly resilient unless it has an effective crisis management structure in place. Business continuity focuses on business impact analysis rather than strategic response. The pandemic challenged a lot of our thinking around business continuity – a business continuity plan won’t save a high street retail business, for example, if no-one can leave their house. Businesses had to adapt very quickly to survive – and those that did, such as the businesses that switched to producing hand sanitizer, turned a crisis into an opportunity.

How does crisis management differ from a cyber breach response?

Most cyber breaches are an incident rather than a crisis – meaning that while they have the potential to cause disruption and loss, they don’t require a strategic response. That said, some cyber breaches can escalate quickly into a crisis. It’s vital that organizations can recognize when the situation is changing and adapt its response. Cyber breaches tend to be seen purely as the responsibility of tech people, but the business still needs to make a profit, fulfil its purpose, meet its obligations and maintain its share price or value.

What does effective crisis management look like?

A crisis requires resources, the setting of a clear strategy to protect operational resiliency, and the involvement of senior leaders. A crisis will also have distinct phases – the initial phase when the crisis strikes, the response phase, stabilization, recovery and finally the return to a stable operating environment.

An effective crisis management capability has several elements: a governance and ethical framework, organizational structure, adequate resources, competent individuals, and the right leadership skills and culture that encourages the organization to learn and improve.

What does the new ISO 22361 (Security and Resilience – Crisis Management – Guidelines) do?

The standard was developed to help organizations design, develop and improve their crisis management capability. Because flexibility is important, the standard takes a principles-based approach, setting out a list of seven principles from which a crisis management framework can be developed and implemented.

It also sets out a clear and agreed definition of a crisis for the first time: ‘An abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity’. The standard sets out the distinction between a crisis and another adverse event, as well as the requirements of an effective crisis management framework, and a description of recommended best practices.

Why do we need this ISO?

Before this ISO, there was no agreed benchmark of what ‘good’ crisis management looked like. The new standard will help organizations improve their resilience, but also provides a benchmark for organizations that want to invest in crisis management training, consulting, and other services – this is a growing industry and it’s important that people know what to look for when they are using these services.

What do organizations need to do to implement the standard?

There are three important next steps for organizations. First, it’s important that the right people know about the ISO and what it means for the organization – that means briefing strategic leaders, top management, and the leaders and members of the crisis management team. Second, we recommend that organizations carry out a gap analysis to understand what needs to be done to strengthen the organization’s resilience and crisis management system. Then, a clear plan needs to be developed and implemented to fill in any gaps that are identified.